Detecting WPA2 PMKID Capture in Your Wireless Estate

The PMKID attack changed the economics of WPA2 cracking. Where the classic attack needed you to capture a four-way handshake — which meant waiting for (or forcing) a client to connect — the PMKID approach can pull crackable material straight from a vulnerable access point with no client connected at all. For defenders, the lesson is that “no one was connected” is not a defense. This post explains the mechanism in the lab, then focuses on what actually stops it.

How the technique works

When a station associates with a WPA2-PSK access point, the AP can include a PMKID in the first message of the EAPOL handshake. The PMKID is derived from the Pairwise Master Key (PMK), the AP’s MAC (BSSID), and the station’s MAC via a known HMAC-SHA1 construction. Because the PMK is itself derived from the network passphrase and SSID, an attacker who captures the PMKID can mount an offline dictionary/brute-force attack against the passphrase.

The capture is collected with standard wireless tooling and converted to the hashcat mode 22000 format. From there it is a pure offline cracking problem: throughput is bounded by GPU and passphrase strength, with no further interaction with the network. The relevant ATT&CK mappings are T1040 (Network Sniffing) and T1110.002 (Brute Force: Password Cracking).

Detection

Wireless attacks are hard to detect from the wire alone, so detection lives in the RF and management-frame layers:

• Wireless IDS / IPS. A WIDS sensor (or your AP vendor’s rogue-AP and anomaly features) can flag deauthentication floods, rogue/evil-twin APs, and abnormal association patterns near your APs.
• Deauth as a signal. While PMKID itself is clientless, real engagements often pair it with deauth attacks to also grab handshakes. A spike in deauthentication frames is a classic, detectable indicator.
• New BSSIDs broadcasting your SSID. An evil-twin AP impersonating your network is a strong tampering signal — monitor for unexpected BSSIDs advertising your ESSID.

Prevention and hardening

• Move to WPA3-SAE. SAE is resistant to the offline dictionary attack that PMKID/handshake cracking depends on. Use WPA3, or WPA3-transition mode while you migrate clients.
• Enforce long, random passphrases (20+ characters) on any WPA2-PSK network that must remain. This alone defeats realistic cracking.
• Use 802.1X (WPA2/3-Enterprise) for corporate networks so there is no shared PSK to crack at all.
• Segment guest and IoT SSIDs so a cracked PSK does not expose the core network.

Tooling for an authorized lab

Disclosure: Some links below are affiliate links. If you buy through them, darkpwn may earn a commission at no extra cost to you. We only recommend training and tools we actually use in our own lab, and affiliate links never influence editorial coverage.

If you are standing up a legal home lab to study wireless defense, structured training is the safest on-ramp — it gives you authorized targets instead of tempting you toward real networks. Platforms such as TryHackMe and Hack The Box provide guided, authorized wireless and network-security labs. For RF experimentation against hardware you own, a Flipper Zero is a common bench tool.

The takeaway

PMKID proved that “nobody was connected” is not wireless security. But the defense is unglamorous and durable: migrate to WPA3, enforce strong passphrases, watch the RF layer for deauth and evil twins, and prefer 802.1X where you can. Understand the capture; make the crack worthless.

The offline-cracking economics here are the same ones behind Kerberoasting. To turn the RF and management-frame signals above into alerts that hold up, see writing Sigma rules that actually fire, and browse more in Hardware Security and Detection Engineering.